[1.9>master] [1.8>1.9] [MERGE #4963 @rajatd] ChakraCore 2018-04 secur…

…ity updates Merge pull request #4963 from rajatd:servicing/1804
chakra-core · Apr 11, 2018 · b323504 · b323504
2 parents 7de7b31 + 495de1a
commit b323504
Show file tree

Hide file tree

Showing 27 changed files with 475 additions and 245 deletions.
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -14902,12 +14902,15 @@ InvariantBlockBackwardIterator::InvariantBlockBackwardIterator(
     BasicBlock *const exclusiveBeginBlock,
     BasicBlock *const inclusiveEndBlock,
     StackSym *const invariantSym,
-    const ValueNumber invariantSymValueNumber)
+    const ValueNumber invariantSymValueNumber,
+    bool followFlow)
     : globOpt(globOpt),
     exclusiveEndBlock(inclusiveEndBlock->prev),
     invariantSym(invariantSym),
     invariantSymValueNumber(invariantSymValueNumber),
-    block(exclusiveBeginBlock)
+    block(exclusiveBeginBlock),
+    blockBV(globOpt->tempAlloc),
+    followFlow(followFlow)
 #if DBG
     ,
     inclusiveEndBlock(inclusiveEndBlock)
@@ -14945,6 +14948,11 @@ InvariantBlockBackwardIterator::MoveNext()
             break;
         }
 
+        if (!this->UpdatePredBlockBV())
+        {
+            continue;
+        }
+
         if(block->isDeleted)
         {
             continue;
@@ -14972,6 +14980,28 @@ InvariantBlockBackwardIterator::MoveNext()
     }
 }
 
+bool
+InvariantBlockBackwardIterator::UpdatePredBlockBV()
+{
+    if (!this->followFlow)
+    {
+        return true;
+    }
+
+    // Track blocks we've visited to ensure that we only iterate over predecessor blocks
+    if (!this->blockBV.IsEmpty() && !this->blockBV.Test(this->block->GetBlockNum()))
+    {
+        return false;
+    }
+
+    FOREACH_SLISTBASECOUNTED_ENTRY(FlowEdge*, edge, this->block->GetPredList())
+    {
+        this->blockBV.Set(edge->GetPred()->GetBlockNum());
+    } NEXT_SLISTBASECOUNTED_ENTRY;
+
+    return true;
+}
+
 BasicBlock *
 InvariantBlockBackwardIterator::Block() const
 {

diff --git a/lib/Backend/GlobOpt.h b/lib/Backend/GlobOpt.h
@@ -391,13 +391,16 @@ class InvariantBlockBackwardIterator
     const ValueNumber invariantSymValueNumber;
     BasicBlock *block;
     Value *invariantSymValue;
+    BVSparse<JitArenaAllocator> blockBV;
+    bool followFlow;
 
 #if DBG
     BasicBlock *const inclusiveEndBlock;
 #endif
 
+    bool UpdatePredBlockBV();
 public:
-    InvariantBlockBackwardIterator(GlobOpt *const globOpt, BasicBlock *const exclusiveBeginBlock, BasicBlock *const inclusiveEndBlock, StackSym *const invariantSym, const ValueNumber invariantSymValueNumber = InvalidValueNumber);
+    InvariantBlockBackwardIterator(GlobOpt *const globOpt, BasicBlock *const exclusiveBeginBlock, BasicBlock *const inclusiveEndBlock, StackSym *const invariantSym, const ValueNumber invariantSymValueNumber = InvalidValueNumber, bool followFlow = false);
 
 public:
     bool IsValid() const;

diff --git a/lib/Backend/GlobOptArrays.cpp b/lib/Backend/GlobOptArrays.cpp
@@ -981,7 +981,8 @@ void GlobOpt::ArraySrcOpt::DoLowerBoundCheck()
                     globOpt->currentBlock->next,
                     hoistBlock,
                     hoistInfo.IndexSym(),
-                    hoistInfo.IndexValueNumber());
+                    hoistInfo.IndexValueNumber(),
+                    true);
                 it.IsValid();
                 it.MoveNext())
             {
@@ -1257,7 +1258,7 @@ void GlobOpt::ArraySrcOpt::DoUpperBoundCheck()
         Assert(!hoistInfo.Loop() || hoistBlock != globOpt->currentBlock);
         if (hoistBlock != globOpt->currentBlock)
         {
-            for (InvariantBlockBackwardIterator it(globOpt, globOpt->currentBlock->next, hoistBlock, nullptr);
+            for (InvariantBlockBackwardIterator it(globOpt, globOpt->currentBlock->next, hoistBlock, nullptr, InvalidValueNumber, true);
                 it.IsValid();
                 it.MoveNext())
             {

diff --git a/lib/Runtime/Base/ThreadContext.cpp b/lib/Runtime/Base/ThreadContext.cpp
@@ -69,6 +69,7 @@ const Js::PropertyRecord * const ThreadContext::builtInPropertyRecords[] =
 };
 
 ThreadContext::RecyclableData::RecyclableData(Recycler *const recycler) :
+    pendingFinallyException(nullptr),
     soErrorObject(nullptr, nullptr, nullptr, true),
     oomErrorObject(nullptr, nullptr, nullptr, true),
     terminatedErrorObject(nullptr, nullptr, nullptr),
@@ -91,7 +92,6 @@ ThreadContext::ThreadContext(AllocationPolicyManager * allocationPolicyManager,
     isThreadBound(false),
     hasThrownPendingException(false),
     hasBailedOutBitPtr(nullptr),
-    pendingFinallyException(nullptr),
     noScriptScope(false),
     heapEnum(nullptr),
     threadContextFlags(ThreadContextFlagNoFlag),

diff --git a/lib/Runtime/Base/ThreadContext.h b/lib/Runtime/Base/ThreadContext.h
@@ -411,8 +411,6 @@ class ThreadContext sealed :
 
 private:
     const Js::PropertyRecord * emptyStringPropertyRecord;
-
-    Js::JavascriptExceptionObject * pendingFinallyException;
     bool noScriptScope;
 
 #ifdef ENABLE_SCRIPT_DEBUGGING
@@ -523,6 +521,8 @@ class ThreadContext sealed :
         Field(Js::TempArenaAllocatorObject *) temporaryArenaAllocators[MaxTemporaryArenaAllocators];
         Field(Js::TempGuestArenaAllocatorObject *) temporaryGuestArenaAllocators[MaxTemporaryArenaAllocators];
 
+        Field(Js::JavascriptExceptionObject *) pendingFinallyException;
+
         Field(Js::JavascriptExceptionObject *) exceptionObject;
         Field(bool) propagateException;
 
@@ -1265,12 +1265,12 @@ class ThreadContext sealed :
 
     void SetPendingFinallyException(Js::JavascriptExceptionObject * exceptionObj)
     {
-        pendingFinallyException = exceptionObj;
+        recyclableData->pendingFinallyException = exceptionObj;
     }
 
     Js::JavascriptExceptionObject * GetPendingFinallyException()
     {
-        return pendingFinallyException;
+        return recyclableData->pendingFinallyException;
     }
 
     Js::EntryPointInfo ** RegisterEquivalentTypeCacheEntryPoint(Js::EntryPointInfo * entryPoint);